Sylvain Beucler <[EMAIL PROTECTED]> tapota : > Mathieu Roy wrote: >> Sylvain Beucler <[EMAIL PROTECTED]> tapota : >> > The change is not very hard (attached). I used the field >> > description: "Email address of the person who submitted the item >> > (if different from the submitter field, add address to CC list)" - >> > so I did not made the checkbox I mentioned (of course, this is not >> > because such a feature is tedious to implement). If it ok I will >> > commit it. >> > >> > However, I do have to test whether the user did not fake the form: >> > he could use a custom form to set the originator mail field. I >> > could also set the "assigned to" field using this method. I think >> > we should add this check for all fields when creating the tracker >> > item. >> >> Hum, users asked to be specifically able to have preformatted >> entries. For instance, some software include in their interface a >> link to their bug tracker prefilling some fields (like system or >> whatever). I think it is safe and handy ; in the case of the email >> adress, we'll still have the risk of spamming people. > > No, I said that people could send requests (eg using an edited HTML > form or curl) that sets fields they should not be able to set. > "Assigned to" can only be set by trackers admins, not by an anonymous > user. However, I could set it as anonymous using a modified HTML form.
But normally checks are made before the SQL commands are run ; so if they enter crap in the form, it will not make any harm. >> I think that I remember know why we decided not to link the >> originator email to notification :) >> In fact, the point was : if someone wants to be notified, he has to >> create an account. He can leave his address if he wants but that's >> not the preferred way - if we allow non logged in user to generate >> CC, we allow spam in some way. > > As I wrote in my precedent mail, I think the 'spam risk' is very low > (did you read that one? Not sure. > I actually posted 2 different replies). Hum, I seen this kind of spam frequently enough these days so I'd like to prevent this problem. Spammers always find new ideas to spam more and more... > In my case, I needed that feature. It is usefull when people only > report one bug and don't need to create an account, and when they post > a support request to recover their account. > I think projects admins who do not want such a feature can add a custom > field with the same name "Originator Email", but that one won't have > the special ability to add its contents to the CC list. Right. -- Mathieu Roy +---------------------------------------------------------------------+ | General Homepage: http://yeupou.coleumes.org/ | | Computing Homepage: http://alberich.coleumes.org/ | | Not a native english speaker: | | http://stock.coleumes.org/doc.php?i=/misc-files/flawed-english | +---------------------------------------------------------------------+
